package com.floragunn.searchguard.enterprise.auditlog.impl;

import com.floragunn.codova.config.text.Pattern;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.documents.patch.JsonPatch;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.enterprise.auditlog.AuditLogConfig;
import com.floragunn.searchguard.enterprise.auditlog.impl.AuditMessage;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchguard.user.UserInformation;
import com.floragunn.searchsupport.PrivilegedCode;
import com.google.common.io.BaseEncoding;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.stream.Collectors;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.xcontent.DeprecationHandler;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.common.xcontent.json.JsonXContent;
import org.elasticsearch.env.Environment;
import org.elasticsearch.index.engine.Engine;
import org.elasticsearch.index.get.GetResult;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auditlog/impl/AbstractAuditLog.class */
public abstract class AbstractAuditLog implements AuditLog {
    protected final ThreadPool threadPool;
    protected final IndexNameExpressionResolver resolver;
    protected final ClusterService clusterService;
    protected final Settings settings;
    protected final boolean restAuditingEnabled;
    protected final boolean transportAuditingEnabled;
    protected final boolean resolveBulkRequests;
    protected final boolean logRequestBody;
    protected final boolean resolveIndices;
    private Pattern ignoredAuditUsers;
    private Pattern ignoredComplianceUsersForRead;
    private Pattern ignoredComplianceUsersForWrite;
    private Pattern ignoreAuditRequests;
    private final List<String> disabledRestCategories;
    private final List<String> disabledTransportCategories;
    private final boolean excludeSensitiveHeaders;
    private final boolean logEnvVars;
    private AuditLogConfig complianceConfig;
    private final Pattern searchguardIndexPattern;
    protected final ConfigurationRepository configurationRepository;
    private static final List<String> writeClasses = new ArrayList();
    protected final Logger log = LogManager.getLogger(getClass());
    private final List<String> defaultDisabledCategories = Arrays.asList(AuditMessage.Category.AUTHENTICATED.toString(), AuditMessage.Category.GRANTED_PRIVILEGES.toString());
    private final List<String> defaultIgnoredUsers = Arrays.asList("kibanaserver");

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractAuditLog(Settings settings, ThreadPool threadPool, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, ConfigurationRepository configurationRepository) {
        writeClasses.add(IndexRequest.class.getSimpleName());
        writeClasses.add(UpdateRequest.class.getSimpleName());
        writeClasses.add(BulkRequest.class.getSimpleName());
        writeClasses.add(BulkShardRequest.class.getSimpleName());
        writeClasses.add(DeleteRequest.class.getSimpleName());
        ValidationErrors validationErrors = new ValidationErrors();
        this.threadPool = threadPool;
        this.settings = settings;
        this.resolver = indexNameExpressionResolver;
        this.clusterService = clusterService;
        this.configurationRepository = configurationRepository;
        this.searchguardIndexPattern = configurationRepository != null ? configurationRepository.getConfiguredSearchguardIndices() : Pattern.blank();
        this.resolveBulkRequests = settings.getAsBoolean("searchguard.audit.resolve_bulk_requests", false).booleanValue();
        this.restAuditingEnabled = settings.getAsBoolean("searchguard.audit.enable_rest", true).booleanValue();
        this.transportAuditingEnabled = settings.getAsBoolean("searchguard.audit.enable_transport", true).booleanValue();
        this.logEnvVars = settings.getAsBoolean("searchguard.compliance.history.external_config.env_vars.enabled", true).booleanValue();
        this.disabledRestCategories = new ArrayList((Collection) settings.getAsList("searchguard.audit.config.disabled_rest_categories", this.defaultDisabledCategories).stream().map(str -> {
            return str.toUpperCase();
        }).collect(Collectors.toList()));
        if (this.disabledRestCategories.size() == 1 && "NONE".equals(this.disabledRestCategories.get(0))) {
            this.disabledRestCategories.clear();
        }
        if (this.disabledRestCategories.size() > 0) {
            this.log.info("Configured categories on rest layer to ignore: {}", this.disabledRestCategories);
        }
        this.disabledTransportCategories = new ArrayList((Collection) settings.getAsList("searchguard.audit.config.disabled_transport_categories", this.defaultDisabledCategories).stream().map(str2 -> {
            return str2.toUpperCase();
        }).collect(Collectors.toList()));
        if (this.disabledTransportCategories.size() == 1 && "NONE".equals(this.disabledTransportCategories.get(0))) {
            this.disabledTransportCategories.clear();
        }
        if (this.disabledTransportCategories.size() > 0) {
            this.log.info("Configured categories on transport layer to ignore: {}", this.disabledTransportCategories);
        }
        this.logRequestBody = settings.getAsBoolean("searchguard.audit.log_request_body", true).booleanValue();
        this.resolveIndices = settings.getAsBoolean("searchguard.audit.resolve_indices", true).booleanValue();
        ArrayList arrayList = new ArrayList(settings.getAsList("searchguard.audit.ignore_users", this.defaultIgnoredUsers));
        if (arrayList.size() == 0 || (arrayList.size() == 1 && "NONE".equals(arrayList.get(0)))) {
            this.ignoredAuditUsers = Pattern.blank();
        } else {
            this.log.info("Configured Users to ignore: {}", arrayList);
            try {
                this.ignoredAuditUsers = Pattern.create(arrayList);
            } catch (ConfigValidationException e) {
                validationErrors.add("searchguard.audit.ignore_users", e);
                this.ignoredAuditUsers = Pattern.blank();
            }
        }
        ArrayList arrayList2 = new ArrayList(settings.getAsList("searchguard.compliance.history.read.ignore_users", this.defaultIgnoredUsers));
        if (arrayList2.size() == 0 || (arrayList2.size() == 1 && "NONE".equals(arrayList2.get(0)))) {
            this.ignoredComplianceUsersForRead = Pattern.blank();
        } else {
            this.log.info("Configured Users to ignore for read compliance events: {}", arrayList2);
            try {
                this.ignoredComplianceUsersForRead = Pattern.create(arrayList2);
            } catch (ConfigValidationException e2) {
                validationErrors.add("searchguard.compliance.history.read.ignore_users", e2);
                this.ignoredComplianceUsersForRead = Pattern.blank();
            }
        }
        ArrayList arrayList3 = new ArrayList(settings.getAsList("searchguard.compliance.history.write.ignore_users", this.defaultIgnoredUsers));
        if (arrayList2.size() == 0 || (arrayList3.size() == 1 && "NONE".equals(arrayList3.get(0)))) {
            this.ignoredComplianceUsersForWrite = Pattern.blank();
        } else {
            this.log.info("Configured Users to ignore for write compliance events: {}", arrayList3);
            try {
                this.ignoredComplianceUsersForWrite = Pattern.create(arrayList3);
            } catch (ConfigValidationException e3) {
                validationErrors.add("searchguard.compliance.history.write.ignore_users", e3);
                this.ignoredComplianceUsersForWrite = Pattern.blank();
            }
        }
        try {
            this.ignoreAuditRequests = Pattern.create(settings.getAsList("searchguard.audit.ignore_requests", Collections.emptyList()));
        } catch (ConfigValidationException e4) {
            validationErrors.add("searchguard.audit.ignore_requests", e4);
            this.ignoreAuditRequests = Pattern.blank();
        }
        for (String str3 : this.disabledRestCategories) {
            try {
                AuditMessage.Category.valueOf(str3.toUpperCase());
            } catch (Exception e5) {
                this.log.error("Unkown category {}, please check searchguard.audit.config.disabled_categories settings", str3);
            }
        }
        for (String str4 : this.disabledTransportCategories) {
            try {
                AuditMessage.Category.valueOf(str4.toUpperCase());
            } catch (Exception e6) {
                this.log.error("Unkown category {}, please check searchguard.audit.config.disabled_categories settings", str4);
            }
        }
        this.excludeSensitiveHeaders = settings.getAsBoolean("searchguard.audit.exclude_sensitive_headers", true).booleanValue();
        if (validationErrors.size() != 0) {
            this.log.error("The audit log configuration contains errors:\n" + validationErrors.toString());
        }
    }

    public void setComplianceConfig(AuditLogConfig auditLogConfig) {
        this.complianceConfig = auditLogConfig;
    }

    public void logFailedLogin(UserInformation userInformation, boolean z, UserInformation userInformation2, TransportRequest transportRequest, Task task) {
        if (checkTransportFilter(AuditMessage.Category.FAILED_LOGIN, null, userInformation, transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.FAILED_LOGIN, getOrigin(), null, null, userInformation, Boolean.valueOf(z), userInformation2, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logFailedLogin(UserInformation userInformation, boolean z, UserInformation userInformation2, RestRequest restRequest) {
        if (checkRestFilter(AuditMessage.Category.FAILED_LOGIN, userInformation, restRequest)) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.FAILED_LOGIN, this.clusterService, getOrigin(), AuditLog.Origin.REST);
            auditMessage.addRemoteAddress(getRemoteAddress());
            if (restRequest != null && this.logRequestBody && restRequest.hasContentOrSourceParam()) {
                auditMessage.addTupleToRequestBody(restRequest.contentOrSourceParam());
            }
            if (restRequest != null) {
                auditMessage.addPath(restRequest.path());
                auditMessage.addRestHeaders(restRequest.getHeaders(), this.excludeSensitiveHeaders);
                auditMessage.addRestParams(restRequest.params());
            }
            auditMessage.addInitiatingUser(userInformation2);
            auditMessage.addEffectiveUser(userInformation);
            auditMessage.addIsAdminDn(z);
            save(auditMessage);
        }
    }

    public void logBlockedUser(UserInformation userInformation, boolean z, UserInformation userInformation2, TransportRequest transportRequest, Task task) {
        if (checkTransportFilter(AuditMessage.Category.BLOCKED_USER, null, userInformation, transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.BLOCKED_USER, getOrigin(), null, null, userInformation, Boolean.valueOf(z), userInformation2, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logBlockedUser(UserInformation userInformation, boolean z, UserInformation userInformation2, RestRequest restRequest) {
        if (checkRestFilter(AuditMessage.Category.BLOCKED_USER, userInformation, restRequest)) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.BLOCKED_USER, this.clusterService, getOrigin(), AuditLog.Origin.REST);
            auditMessage.addRemoteAddress(getRemoteAddress());
            if (restRequest != null && this.logRequestBody && restRequest.hasContentOrSourceParam()) {
                auditMessage.addTupleToRequestBody(restRequest.contentOrSourceParam());
            }
            if (restRequest != null) {
                auditMessage.addPath(restRequest.path());
                auditMessage.addRestHeaders(restRequest.getHeaders(), this.excludeSensitiveHeaders);
                auditMessage.addRestParams(restRequest.params());
            }
            auditMessage.addInitiatingUser(userInformation2);
            auditMessage.addEffectiveUser(userInformation);
            auditMessage.addIsAdminDn(z);
            save(auditMessage);
        }
    }

    public void logSucceededLogin(UserInformation userInformation, boolean z, UserInformation userInformation2, TransportRequest transportRequest, String str, Task task) {
        if (checkTransportFilter(AuditMessage.Category.AUTHENTICATED, str, userInformation, transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.AUTHENTICATED, getOrigin(), str, null, userInformation, Boolean.valueOf(z), userInformation2, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logSucceededLogin(UserInformation userInformation, boolean z, UserInformation userInformation2, RestRequest restRequest) {
        if (checkRestFilter(AuditMessage.Category.AUTHENTICATED, userInformation, restRequest)) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.AUTHENTICATED, this.clusterService, getOrigin(), AuditLog.Origin.REST);
            auditMessage.addRemoteAddress(getRemoteAddress());
            if (restRequest != null && this.logRequestBody && restRequest.hasContentOrSourceParam()) {
                auditMessage.addTupleToRequestBody(restRequest.contentOrSourceParam());
            }
            if (restRequest != null) {
                auditMessage.addPath(restRequest.path());
                auditMessage.addRestHeaders(restRequest.getHeaders(), this.excludeSensitiveHeaders);
                auditMessage.addRestParams(restRequest.params());
            }
            auditMessage.addInitiatingUser(userInformation2);
            auditMessage.addEffectiveUser(userInformation);
            auditMessage.addIsAdminDn(z);
            save(auditMessage);
        }
    }

    public void logMissingPrivileges(String str, UserInformation userInformation, RestRequest restRequest) {
        if (checkRestFilter(AuditMessage.Category.MISSING_PRIVILEGES, userInformation, restRequest)) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.MISSING_PRIVILEGES, this.clusterService, getOrigin(), AuditLog.Origin.REST);
            auditMessage.addRemoteAddress(getRemoteAddress());
            if (restRequest != null && this.logRequestBody && restRequest.hasContentOrSourceParam()) {
                auditMessage.addTupleToRequestBody(restRequest.contentOrSourceParam());
            }
            if (restRequest != null) {
                auditMessage.addPath(restRequest.path());
                auditMessage.addRestHeaders(restRequest.getHeaders(), this.excludeSensitiveHeaders);
                auditMessage.addRestParams(restRequest.params());
            }
            auditMessage.addEffectiveUser(userInformation);
            save(auditMessage);
        }
    }

    public void logMissingPrivileges(String str, TransportRequest transportRequest, Task task) {
        if (checkTransportFilter(AuditMessage.Category.MISSING_PRIVILEGES, str, getUser(), transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.MISSING_PRIVILEGES, getOrigin(), null, str, getUser(), null, null, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logGrantedPrivileges(String str, TransportRequest transportRequest, Task task) {
        if (checkTransportFilter(AuditMessage.Category.GRANTED_PRIVILEGES, str, getUser(), transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.GRANTED_PRIVILEGES, getOrigin(), null, str, getUser(), null, null, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logBadHeaders(TransportRequest transportRequest, String str, Task task) {
        if (checkTransportFilter(AuditMessage.Category.BAD_HEADERS, str, getUser(), transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.BAD_HEADERS, getOrigin(), str, null, getUser(), null, null, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logBadHeaders(RestRequest restRequest) {
        if (checkRestFilter(AuditMessage.Category.BAD_HEADERS, getUser(), restRequest)) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.BAD_HEADERS, this.clusterService, getOrigin(), AuditLog.Origin.REST);
            auditMessage.addRemoteAddress(getRemoteAddress());
            if (restRequest != null && this.logRequestBody && restRequest.hasContentOrSourceParam()) {
                auditMessage.addTupleToRequestBody(restRequest.contentOrSourceParam());
            }
            if (restRequest != null) {
                auditMessage.addPath(restRequest.path());
                auditMessage.addRestHeaders(restRequest.getHeaders(), this.excludeSensitiveHeaders);
                auditMessage.addRestParams(restRequest.params());
            }
            auditMessage.addEffectiveUser(getUser());
            save(auditMessage);
        }
    }

    public void logBlockedIp(TransportRequest transportRequest, String str, TransportAddress transportAddress, Task task) {
        if (checkTransportFilter(AuditMessage.Category.BLOCKED_IP, str, getUser(), transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.BLOCKED_IP, getOrigin(), str, null, getUser(), null, null, transportAddress, transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logBlockedIp(RestRequest restRequest, InetSocketAddress inetSocketAddress) {
        if (checkRestFilter(AuditMessage.Category.BLOCKED_IP, getUser(), restRequest)) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.BLOCKED_IP, this.clusterService, getOrigin(), AuditLog.Origin.REST);
            auditMessage.addRemoteAddress(inetSocketAddress.getAddress().getHostAddress());
            if (restRequest != null && this.logRequestBody && restRequest.hasContentOrSourceParam()) {
                auditMessage.addTupleToRequestBody(restRequest.contentOrSourceParam());
            }
            if (restRequest != null) {
                auditMessage.addPath(restRequest.path());
                auditMessage.addRestHeaders(restRequest.getHeaders(), this.excludeSensitiveHeaders);
                auditMessage.addRestParams(restRequest.params());
            }
            auditMessage.addEffectiveUser(getUser());
            save(auditMessage);
        }
    }

    public void logSgIndexAttempt(TransportRequest transportRequest, String str, Task task) {
        if (checkTransportFilter(AuditMessage.Category.SG_INDEX_ATTEMPT, str, getUser(), transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.SG_INDEX_ATTEMPT, getOrigin(), str, null, getUser(), false, null, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logImmutableIndexAttempt(TransportRequest transportRequest, String str, Task task) {
        if (checkTransportFilter(AuditMessage.Category.COMPLIANCE_IMMUTABLE_INDEX_ATTEMPT, str, getUser(), transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.COMPLIANCE_IMMUTABLE_INDEX_ATTEMPT, getOrigin(), str, null, getUser(), false, null, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, null).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logSSLException(TransportRequest transportRequest, Throwable th, String str, Task task) {
        if (checkTransportFilter(AuditMessage.Category.SSL_EXCEPTION, str, getUser(), transportRequest)) {
            Iterator<AuditMessage> it = RequestResolver.resolve(AuditMessage.Category.SSL_EXCEPTION, AuditLog.Origin.TRANSPORT, str, null, getUser(), false, null, getRemoteAddress(), transportRequest, getThreadContextHeaders(), task, this.resolver, this.clusterService, this.settings, this.logRequestBody, this.resolveIndices, this.resolveBulkRequests, this.searchguardIndexPattern, this.excludeSensitiveHeaders, th).iterator();
            while (it.hasNext()) {
                save(it.next());
            }
        }
    }

    public void logSSLException(RestRequest restRequest, Throwable th) {
        if (checkRestFilter(AuditMessage.Category.SSL_EXCEPTION, getUser(), restRequest)) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.SSL_EXCEPTION, this.clusterService, AuditLog.Origin.REST, AuditLog.Origin.REST);
            auditMessage.addRemoteAddress(getRemoteAddress());
            if (restRequest != null && this.logRequestBody && restRequest.hasContentOrSourceParam()) {
                auditMessage.addTupleToRequestBody(restRequest.contentOrSourceParam());
            }
            if (restRequest != null) {
                auditMessage.addPath(restRequest.path());
                auditMessage.addRestHeaders(restRequest.getHeaders(), this.excludeSensitiveHeaders);
                auditMessage.addRestParams(restRequest.params());
            }
            auditMessage.addException(th);
            auditMessage.addEffectiveUser(getUser());
            save(auditMessage);
        }
    }

    public void logDocumentRead(String str, String str2, ShardId shardId, Map<String, String> map) {
        if (this.complianceConfig == null || !this.complianceConfig.readHistoryEnabledForIndex(str)) {
            return;
        }
        String header = this.threadPool.getThreadContext().getHeader("_sg_initial_action_class_header");
        if (header == null || !writeClasses.contains(header)) {
            AuditMessage.Category category = this.searchguardIndexPattern.matches(str) ? AuditMessage.Category.COMPLIANCE_INTERNAL_CONFIG_READ : AuditMessage.Category.COMPLIANCE_DOC_READ;
            UserInformation user = getUser();
            if (!checkComplianceFilter(category, user, getOrigin()) || map == null || map.isEmpty()) {
                return;
            }
            AuditMessage auditMessage = new AuditMessage(category, this.clusterService, getOrigin(), null);
            auditMessage.addRemoteAddress(getRemoteAddress());
            auditMessage.addEffectiveUser(user);
            auditMessage.addIndices(new String[]{str});
            auditMessage.addResolvedIndices(new String[]{str});
            auditMessage.addShardId(shardId);
            auditMessage.addId(str2);
            try {
            } catch (Exception e) {
                this.log.error("Unable to generate request body for {} and {}", auditMessage.toPrettyString(), map, e);
            }
            if (!this.complianceConfig.logReadMetadataOnly()) {
                if (!this.searchguardIndexPattern.matches(str) || "tattr".equals(str2) || "*".equals(str2)) {
                    auditMessage.addMapToRequestBody(new HashMap(map));
                } else {
                    try {
                        auditMessage.addMapToRequestBody(Utils.convertJsonToxToStructuredMap((String) ((Map) map.entrySet().stream().filter(entry -> {
                            return ((String) entry.getKey()).equals(str2);
                        }).collect(Collectors.toMap(entry2 -> {
                            return "id";
                        }, entry3 -> {
                            return new String(BaseEncoding.base64().decode((CharSequence) entry3.getValue()), StandardCharsets.UTF_8);
                        }))).get("id")));
                    } catch (Exception e2) {
                        this.log.error("Unexpected Exception {}", e2, e2);
                    }
                }
                save(auditMessage);
            }
            try {
                XContentBuilder builder = XContentBuilder.builder(JsonXContent.jsonXContent);
                builder.startObject();
                builder.field("field_names", map.keySet());
                builder.endObject();
                builder.close();
                auditMessage.addUnescapedJsonToRequestBody(Strings.toString(builder));
            } catch (IOException e3) {
                this.log.error(e3.toString(), e3);
            }
            save(auditMessage);
            this.log.error("Unable to generate request body for {} and {}", auditMessage.toPrettyString(), map, e);
            save(auditMessage);
        }
    }

    public void logDocumentWritten(ShardId shardId, GetResult getResult, Engine.Index index, Engine.IndexResult indexResult) {
        XContentParser createParser;
        if (this.complianceConfig == null || !this.complianceConfig.writeHistoryEnabledForIndex(shardId.getIndexName())) {
            return;
        }
        AuditMessage.Category category = this.searchguardIndexPattern.matches(shardId.getIndexName()) ? AuditMessage.Category.COMPLIANCE_INTERNAL_CONFIG_WRITE : AuditMessage.Category.COMPLIANCE_DOC_WRITE;
        UserInformation user = getUser();
        if (checkComplianceFilter(category, user, getOrigin())) {
            AuditMessage auditMessage = new AuditMessage(category, this.clusterService, getOrigin(), null);
            auditMessage.addRemoteAddress(getRemoteAddress());
            auditMessage.addEffectiveUser(user);
            auditMessage.addIndices(new String[]{shardId.getIndexName()});
            auditMessage.addResolvedIndices(new String[]{shardId.getIndexName()});
            auditMessage.addId(index.id());
            auditMessage.addShardId(shardId);
            auditMessage.addComplianceDocVersion(indexResult.getVersion());
            auditMessage.addComplianceOperation(indexResult.isCreated() ? AuditLog.Operation.CREATE : AuditLog.Operation.UPDATE);
            if (this.complianceConfig.logDiffsForWrite() && getResult != null && getResult.isExists() && getResult.internalSourceRef() != null) {
                try {
                    String str = null;
                    String str2 = null;
                    if (this.searchguardIndexPattern.matches(shardId.getIndexName())) {
                        try {
                            createParser = XContentHelper.createParser(NamedXContentRegistry.EMPTY, DeprecationHandler.THROW_UNSUPPORTED_OPERATION, getResult.internalSourceRef(), XContentType.JSON);
                            try {
                                Object next = createParser.map().values().iterator().next();
                                str = next instanceof String ? new String(BaseEncoding.base64().decode((String) next)) : XContentHelper.convertToJson(getResult.internalSourceRef(), false, XContentType.JSON);
                                if (createParser != null) {
                                    createParser.close();
                                }
                            } finally {
                            }
                        } catch (Exception e) {
                            this.log.error(e);
                        }
                        try {
                            createParser = XContentHelper.createParser(NamedXContentRegistry.EMPTY, DeprecationHandler.THROW_UNSUPPORTED_OPERATION, index.source(), XContentType.JSON);
                            try {
                                Object next2 = createParser.map().values().iterator().next();
                                str2 = next2 instanceof String ? new String(BaseEncoding.base64().decode((String) next2)) : XContentHelper.convertToJson(index.source(), false, XContentType.JSON);
                                if (createParser != null) {
                                    createParser.close();
                                }
                            } finally {
                            }
                        } catch (Exception e2) {
                            this.log.error(e2);
                        }
                    } else {
                        str = XContentHelper.convertToJson(getResult.internalSourceRef(), false, XContentType.JSON);
                        str2 = XContentHelper.convertToJson(index.source(), false, XContentType.JSON);
                    }
                    JsonPatch fromDiff = JsonPatch.fromDiff(DocNode.parse(Format.JSON).from(str), DocNode.parse(Format.JSON).from(str2));
                    auditMessage.addComplianceWriteDiffSource(fromDiff.isEmpty() ? "" : fromDiff.toJsonString());
                } catch (Exception e3) {
                    this.log.error("Unable to generate diff for {}", auditMessage.toPrettyString(), e3);
                }
            }
            if (!this.complianceConfig.logWriteMetadataOnly()) {
                if (this.searchguardIndexPattern.matches(shardId.getIndexName())) {
                    try {
                        XContentParser createParser2 = XContentHelper.createParser(NamedXContentRegistry.EMPTY, DeprecationHandler.THROW_UNSUPPORTED_OPERATION, index.source(), XContentType.JSON);
                        try {
                            Object next3 = createParser2.map().values().iterator().next();
                            if (next3 instanceof String) {
                                auditMessage.addUnescapedJsonToRequestBody(new String(BaseEncoding.base64().decode((String) next3)));
                            } else {
                                auditMessage.addTupleToRequestBody(new Tuple<>(XContentType.JSON, index.source()));
                            }
                            if (createParser2 != null) {
                                createParser2.close();
                            }
                        } catch (Throwable th) {
                            if (createParser2 != null) {
                                try {
                                    createParser2.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } catch (Exception e4) {
                        this.log.error(e4);
                    }
                } else {
                    auditMessage.addTupleToRequestBody(new Tuple<>(XContentType.JSON, index.source()));
                }
            }
            save(auditMessage);
        }
    }

    public void logDocumentDeleted(ShardId shardId, Engine.Delete delete, Engine.DeleteResult deleteResult) {
        UserInformation user = getUser();
        if (checkComplianceFilter(AuditMessage.Category.COMPLIANCE_DOC_WRITE, user, getOrigin())) {
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.COMPLIANCE_DOC_WRITE, this.clusterService, getOrigin(), null);
            auditMessage.addRemoteAddress(getRemoteAddress());
            auditMessage.addEffectiveUser(user);
            auditMessage.addIndices(new String[]{shardId.getIndexName()});
            auditMessage.addResolvedIndices(new String[]{shardId.getIndexName()});
            auditMessage.addId(delete.id());
            auditMessage.addShardId(shardId);
            auditMessage.addComplianceDocVersion(deleteResult.getVersion());
            auditMessage.addComplianceOperation(AuditLog.Operation.DELETE);
            save(auditMessage);
        }
    }

    public void logExternalConfig(Settings settings, Environment environment) {
        if (checkComplianceFilter(AuditMessage.Category.COMPLIANCE_EXTERNAL_CONFIG, null, getOrigin())) {
            Map<String, Object> convertJsonToxToStructuredMap = Utils.convertJsonToxToStructuredMap((ToXContent) settings);
            Map map = this.logEnvVars ? (Map) PrivilegedCode.execute(() -> {
                return System.getenv();
            }) : null;
            Properties properties = (Properties) PrivilegedCode.execute(() -> {
                return System.getProperties();
            });
            String sha256Hex = DigestUtils.sha256Hex(convertJsonToxToStructuredMap.toString() + (map != null ? map.toString() : "") + properties.toString());
            AuditMessage auditMessage = new AuditMessage(AuditMessage.Category.COMPLIANCE_EXTERNAL_CONFIG, this.clusterService, null, null);
            try {
                XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent());
                try {
                    builder.startObject();
                    builder.startObject("external_configuration");
                    builder.field("elasticsearch_yml", convertJsonToxToStructuredMap);
                    if (this.logEnvVars) {
                        builder.field("os_environment", map);
                    }
                    builder.field("java_properties", properties);
                    builder.field("sha256_checksum", sha256Hex);
                    builder.endObject();
                    builder.endObject();
                    builder.close();
                    auditMessage.addUnescapedJsonToRequestBody(Strings.toString(builder));
                    if (builder != null) {
                        builder.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                this.log.error("Unable to build message", e);
            }
            HashMap hashMap = new HashMap();
            for (String str : settings.keySet()) {
                if (str.startsWith("searchguard") && (str.contains("filepath") || str.contains("file_path"))) {
                    String str2 = settings.get(str);
                    if (str2 != null && !str2.isEmpty()) {
                        hashMap.put(str, str2.startsWith("/") ? Paths.get(str2, new String[0]) : environment.configFile().resolve(str2));
                    }
                }
            }
            auditMessage.addFileInfos(hashMap);
            save(auditMessage);
        }
    }

    private AuditLog.Origin getOrigin() {
        String str = (String) this.threadPool.getThreadContext().getTransient("_sg_origin");
        if (str == null && this.threadPool.getThreadContext().getHeader("_sg_origin_header") != null) {
            str = this.threadPool.getThreadContext().getHeader("_sg_origin_header");
        }
        if (str == null) {
            return null;
        }
        return AuditLog.Origin.valueOf(str);
    }

    private TransportAddress getRemoteAddress() {
        TransportAddress transportAddress = (TransportAddress) this.threadPool.getThreadContext().getTransient("_sg_remote_address");
        if (transportAddress == null && this.threadPool.getThreadContext().getHeader("_sg_remote_address_header") != null) {
            transportAddress = new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(this.threadPool.getThreadContext().getHeader("_sg_remote_address_header")));
        }
        return transportAddress;
    }

    private UserInformation getUser() {
        User user = (User) this.threadPool.getThreadContext().getTransient("_sg_user");
        if (user == null && this.threadPool.getThreadContext().getHeader("_sg_user_header") != null) {
            user = Base64Helper.deserializeObject(this.threadPool.getThreadContext().getHeader("_sg_user_header"));
        }
        return user;
    }

    private Map<String, String> getThreadContextHeaders() {
        return this.threadPool.getThreadContext().getHeaders();
    }

    private boolean checkTransportFilter(AuditMessage.Category category, String str, UserInformation userInformation, TransportRequest transportRequest) {
        if (this.log.isTraceEnabled()) {
            this.log.trace("Check category:{}, action:{}, effectiveUser:{}, request:{}", category, str, userInformation, transportRequest == null ? null : transportRequest.getClass().getSimpleName());
        }
        if (!this.transportAuditingEnabled && category != AuditMessage.Category.FAILED_LOGIN && category != AuditMessage.Category.MISSING_PRIVILEGES && category != AuditMessage.Category.SG_INDEX_ATTEMPT) {
            return false;
        }
        if (str != null && (str.startsWith("internal:") || str.startsWith("cluster:monitor") || str.startsWith("indices:monitor"))) {
            return false;
        }
        if (userInformation != null && this.ignoredAuditUsers.matches(userInformation.getName())) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Skipped audit log message because of user {} is ignored", userInformation);
            return false;
        }
        if (transportRequest != null && (this.ignoreAuditRequests.matches(str) || this.ignoreAuditRequests.matches(transportRequest.getClass().getSimpleName()))) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Skipped audit log message because request {} is ignored", str + "#" + transportRequest.getClass().getSimpleName());
            return false;
        }
        if (!this.disabledTransportCategories.contains(category.toString())) {
            return true;
        }
        if (!this.log.isTraceEnabled()) {
            return false;
        }
        this.log.trace("Skipped audit log message because category {} not enabled", category);
        return false;
    }

    private boolean checkComplianceFilter(AuditMessage.Category category, UserInformation userInformation, AuditLog.Origin origin) {
        if (this.log.isTraceEnabled()) {
            this.log.trace("Check for COMPLIANCE category:{}, effectiveUser:{}, origin: {}", category, userInformation, origin);
        }
        if (origin == AuditLog.Origin.LOCAL && userInformation == null && category != AuditMessage.Category.COMPLIANCE_EXTERNAL_CONFIG) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Skipped compliance log message because of null user and local origin");
            return false;
        }
        if ((category == AuditMessage.Category.COMPLIANCE_DOC_READ || category == AuditMessage.Category.COMPLIANCE_INTERNAL_CONFIG_READ) && userInformation != null && userInformation.getName() != null && this.ignoredComplianceUsersForRead.matches(userInformation.getName())) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Skipped compliance log message because of user {} is ignored", userInformation);
            return false;
        }
        if ((category != AuditMessage.Category.COMPLIANCE_DOC_WRITE && category != AuditMessage.Category.COMPLIANCE_INTERNAL_CONFIG_WRITE) || userInformation == null || userInformation.getName() == null || !this.ignoredComplianceUsersForWrite.matches(userInformation.getName())) {
            return true;
        }
        if (!this.log.isTraceEnabled()) {
            return false;
        }
        this.log.trace("Skipped compliance log message because of user {} is ignored", userInformation);
        return false;
    }

    private boolean checkRestFilter(AuditMessage.Category category, UserInformation userInformation, RestRequest restRequest) {
        if (this.log.isTraceEnabled()) {
            this.log.trace("Check for REST category:{}, effectiveUser:{}, request:{}", category, userInformation, restRequest == null ? null : restRequest.path());
        }
        if (!this.restAuditingEnabled && category != AuditMessage.Category.FAILED_LOGIN && category != AuditMessage.Category.MISSING_PRIVILEGES && category != AuditMessage.Category.SG_INDEX_ATTEMPT) {
            return false;
        }
        if (userInformation != null && this.ignoredAuditUsers.matches(userInformation.getName())) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Skipped audit log message because of user {} is ignored", userInformation);
            return false;
        }
        if (restRequest != null && this.ignoreAuditRequests.matches(restRequest.path())) {
            if (!this.log.isTraceEnabled()) {
                return false;
            }
            this.log.trace("Skipped audit log message because request {} is ignored", restRequest.path());
            return false;
        }
        if (!this.disabledRestCategories.contains(category.toString())) {
            return true;
        }
        if (!this.log.isTraceEnabled()) {
            return false;
        }
        this.log.trace("Skipped audit log message because category {} not enabled", category);
        return false;
    }

    protected abstract void save(AuditMessage auditMessage);
}
